#auth

### Summary A critical SQL Injection vulnerability exists in the `getLast` API functionality of the eKuiper project. This flaw allows unauthenticated remote attackers to execute arbitrary SQL statements on the underlying SQLite database by manipulating the table name input in an API request. Exploitation can lead to data theft, corruption, or deletion, and full database compromise. ### Details The root cause lies in the use of unsanitized user-controlled input when constructing SQL queries using `fmt.Sprintf`, without validating the `table` parameter. Specifically, in: ```go query := fmt.Sprintf("SELECT * FROM %s ORDER BY rowid DESC LIMIT 1", table) ``` Any value passed as the `table` parameter is directly interpolated into the SQL string, enabling injection attacks. This is reachable via API interfaces that expose time-series queries. ### PoC 1. **Deploy eKuiper instance** (default config is sufficient). 2. **Send a crafted request to the SQL query endpoint**: ```bash curl -X ...

Cybercrime forum XSS is back online on its mirror and dark web domains just one day after seizure and admin arrest, but questions about its full return remain unanswered.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Network Thermostat Equipment: X-Series WiFi thermostats Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to gain full administrative access to the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Network Thermostat product is affected: X-Series WiFi thermostats: Versions v4.5 up to but not including v4.6 X-Series WiFi thermostats: Versions v9.6 up to but not including v9.46 X-Series WiFi thermostats: Versions v10.1 up to but not including v10.29 X-Series WiFi thermostats: Versions v11.1 up to but not including v11.5 3.2 Vulnerability Overview 3.2.1 Missing Authentication for Critical Function CWE-306 The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the Local Area Network or from the...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.3 ATTENTION: Exploitable remotely Vendor: LG Innotek Equipment: Camera Model LNV5110R Vulnerability: Authentication Bypass Using an Alternate Path or Channel 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to gain administrative access to the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following model of LG Innotek CCTV Camera is affected: LNV5110R: All versions 3.2 Vulnerability Overview 3.2.1 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288 An authentication vulnerability exists in the LG Innotek camera model LNV5110R firmware that allows a malicious actor to upload an HTTP POST request to the devices non-volatile storage. This action may result in remote code execution that allows an attacker to run arbitrary commands on the target device at the administrator privilege level. CVE-2025-7742 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculate...

National Nuclear Security Administration and National Institutes of Health targeted in global Microsoft SharePoint vulnerability exploitation. Chinese hacking groups suspected in widespread data breaches.

Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.

Europol on Monday announced the arrest of the suspected administrator of XSS.is (formerly DaMaGeLaB), a notorious Russian-speaking cybercrime platform. The arrest, which took place in Kyiv, Ukraine, on July 222, 2025, was led by the French Police and Paris Prosecutor, in collaboration with Ukrainian authorities and Europol. The action is the result of an investigation that was launched by the

A cross-site scripting (XSS) vulnerability in the component /blog/blogpost/add of Mezzanine CMS v6.1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a blog post.

FBI warns of Interlock ransomware using unique tactics to hit businesses and critical infrastructure with double extortion.

XSS.IS has been seized after its admin was arrested in Ukraine, however its dark web and mirror domains only show a 504 Gateway Timeout error.